华为防火墙nat端口映射

Posted 害怕网络暴力

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了华为防火墙nat端口映射相关的知识,希望对你有一定的参考价值。

一、拓扑

CE1使用环回口模拟用户,访问内网的CE3 8080端口。防火墙需要做nat server 将2.2.2.2:8080这个地址映射成10.10.10.10:8080,外面的用户才能访问。
二、配置
CE1:

<HUAWEI>sys
Enter system view, return user view with return command.
[~HUAWEI]in g1/0/0
[~HUAWEI-GE1/0/0]undo portswitch
[*HUAWEI-GE1/0/0]undo shutdown 
[*HUAWEI-GE1/0/0]ip address 200.0.1.1 30
[*HUAWEI-GE1/0/0]qu	
[*HUAWEI]interface LoopBack 0
[*HUAWEI-LoopBack0]ip address  1.1.1.1 32
[*HUAWEI-LoopBack0]qu
[*HUAWEI]ospf 1 
[*HUAWEI-ospf-1]area 0
[*HUAWEI-ospf-1-area-0.0.0.0]network 200.0.1.1 0.0.0.0
[*HUAWEI-ospf-1-area-0.0.0.0]network 1.1.1.1 0.0.0.0
[*HUAWEI-ospf-1-area-0.0.0.0]qu
[*HUAWEI-ospf-1]qu
[*HUAWEI]command-privilege	
[*HUAWEI]commit

CE2

<HUAWEI>sys
Enter system view, return user view with return command.
[~HUAWEI]in g1/0/0
[~HUAWEI-GE1/0/0]undo ports	
[~HUAWEI-GE1/0/0]undo portswitch 
[*HUAWEI-GE1/0/0]undo shutdown 
[*HUAWEI-GE1/0/0]ip address  200.0.1.2 30
[*HUAWEI-GE1/0/0]in g1/0/1
[*HUAWEI-GE1/0/1]undo portswitch 
[*HUAWEI-GE1/0/0]undo shutdown 
[*HUAWEI-GE1/0/1]ip address  200.0.0.1 30
[*HUAWEI-GE1/0/1]qu
[*HUAWEI]ospf 1 
[*HUAWEI-ospf-1]area  0
[*HUAWEI-ospf-1-area-0.0.0.0]network 200.0.1.2 0.0.0.0
[*HUAWEI-ospf-1-area-0.0.0.0]network 200.0.0.1 0.0.0.0
[*HUAWEI-ospf-1-area-0.0.0.0]commit

FW1

[USG6000V1]in g0/0/0
[USG6000V1-GigabitEthernet0/0/0]ip address 200.0.0.2 255.255.255.252
[USG6000V1]in g1/0/0
[USG6000V1-GigabitEthernet1/0/0]ip address 192.168.1.2 255.255.255.252
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name local-untrust
[USG6000V1-policy-security-rule-local-untrust]source-zone local
[USG6000V1-policy-security-rule-local-untrust] destination-zone untrust
[USG6000V1-policy-security-rule-local-untrust]action permit
[USG6000V1-policy-security]rule  name untrust-local
[USG6000V1-policy-security-rule-untrust-local]source-zone untrust
[USG6000V1-policy-security-rule-untrust-local]destination-zone local
[USG6000V1-policy-security-rule-untrust-local]action permit
[USG6000V1]firewall zone untrust 
[USG6000V1-zone-untrust]add interface GigabitEthernet0/0/0
[USG6000V1]firewall zone trust 
[USG6000V1-zone-trust]add interface g1/0/0
[USG6000V1]nat server protocol tcp global 10.10.10.10 8080 inside 2.2.2.2 8080 n
o-reverse
[USG6000V1]ospf 1
[USG6000V1-ospf-1]default-route-advertise always 
[USG6000V1-ospf-1]area 0
[USG6000V1-ospf-1-area-0.0.0.0]network 200.0.0.2 0.0.0.0
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name  nat-out
[USG6000V1-policy-security-rule-nat-out]source-zone untrust 
[USG6000V1-policy-security-rule-nat-out]destination-zone trust 
[USG6000V1-policy-security-rule-nat-out]source-address 1.1.1.1 32
[USG6000V1-policy-security-rule-nat-out]destination-address 2.2.2.2 32
[USG6000V1-policy-security-rule-nat-out]service protocol tcp  destination-port 8
080
[USG6000V1-policy-security-rule-nat-out]action permit 
[USG6000V1]ip route-static 2.2.2.2 32 192.168.1.1 

CE3

<HUAWEI>sys
Enter system view, return user view with return command.
[~HUAWEI]in g1/0/0
[~HUAWEI-GE1/0/0]undo portswitch 
[*HUAWEI-GE1/0/0]ip address  192.168.1.1 30
[*HUAWEI-GE1/0/0]undo shutdown 
[*HUAWEI-GE1/0/0]qu
[*HUAWEI]ip route-static 0.0.0.0 0 192.168.1.2 
[~HUAWEI]dis ip in brief 
[~HUAWEI]interface LoopBack 0
[*HUAWEI-LoopBack0]ip address  2.2.2.2 32 
[*HUAWEI-LoopBack0]qu
[*HUAWEI]aaa
[*HUAWEI-aaa]local-user huawei password cipher Admin@123
[*HUAWEI-aaa]local-user huawei level 3
[*HUAWEI-aaa]local-user huawei service-type telnet 
[*HUAWEI]telnet server port 8080
[~HUAWEI]user-interface vty  0 4
[~HUAWEI-ui-vty0-4]authentication-mode aaa
[*HUAWEI-ui-vty0-4]user privilege level 3
[*HUAWEI-ui-vty0-4]idle-timeout 5
[*HUAWEI-ui-vty0-4]quit
[*HUAWEI]commit

测试:

以上是关于华为防火墙nat端口映射的主要内容,如果未能解决你的问题,请参考以下文章

华为防火墙nat端口映射

华为防火墙如何做端口映射?

配置华为防火墙端口映射

配置华为防火墙端口映射

华为防火墙中所有NAT技术解析

华为PAT端口地址映射配置详解